[c-nsp] Ingress policing on a 3560

Tassos Chatzithomaoglou achatz at forthnet.gr
Mon Jun 1 03:48:42 EDT 2009


Tom,

If i remember right, in 3560/3750 MAC ACLs are used only for classification of non ip 
traffic. So if you're testing with ip (like iperf) you won't be able to match it.

Also, use "sh mls qos int gi0/14 stat" to check for drops due to policing.

-- 
Tassos

Tom Storey wrote on 01/06/2009 07:57:
> Thanks to those who have responded so far.
> 
> To answer a couple of so far common questions:
> 
> "mls qos" is enabled:
> 
> sw2#sh mls qos
> QoS is enabled
> QoS ip packet dscp rewrite is enabled
> 
> And I dont appear to be counting any hits against my MAC ACL, which may
> explain part of the problem:
> 
> sw2#sh access-lists mac-any-any
> 
> Extended MAC access list mac-any-any
>     permit any any 0x0 0xFFFF
> 
> I tried applying the ACL inbound on the interface to see if it would count
> any hits, and there are zero hits on there too. I also modified the ACL
> rule to what you see above based on an example I found.
> 
> So something is definitely up there, considering I am pumping 12000+ pps
> through it each way with iperf. :-)
> 
> Back to the drawing board.
> 
> Cheers,
> Tom
> 
>> Hi all.
>>
>> What I'm trying to do is police ingress on a port, using a MAC ACL to
>> match traffic to police (just a "permit any any" to match all traffic).
>>
>> But what I'm getting is that the switch doesnt appear to be matching any
>> traffic at all.
>>
>> sw2#sh int gi0/14 | inc put rate
>>   30 second input rate 20449000 bits/sec, 1688 packets/sec
>>   30 second output rate 2620000 bits/sec, 1690 packets/sec
>> sw2#sh policy-map int gi0/14
>>  GigabitEthernet0/14
>>
>>   Service-policy input: police-10mbit-in
>>
>>     Class-map: mac-any-any (match-any)
>>       0 packets, 0 bytes
>>       30 second offered rate 0 bps, drop rate 0 bps
>>       Match: access-group name mac-any-any
>>         0 packets, 0 bytes
>>         30 second rate 0 bps
>>
>>     Class-map: class-default (match-any)
>>       0 packets, 0 bytes
>>       30 second offered rate 0 bps, drop rate 0 bps
>>       Match: any
>>         0 packets, 0 bytes
>>         30 second rate 0 bps
>>
>> Does anyone have any pointers as to what I'm doing wrong? Below is my
>> config.
>>
>> mac access-list extended mac-any-any
>>  permit any any
>> !
>> class-map match-any mac-any-any
>>  match access-group name mac-any-any
>> !
>> policy-map police-10mbit-in
>>  class mac-any-any
>>   police 10000000 1000000 exceed-action drop
>> !
>> interface GigabitEthernet0/14
>>  service-policy input police-10mbit-in
>> !
>>
>> Ive also tried with just class-default, but got the same result.
>>
>> I am currently using the "vlan" SDM profile, if that makes any difference.
>>
>> Cheers,
>> Tom
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


More information about the cisco-nsp mailing list